[ubuntu-hardened] CVE-2016-5696: Linux kernel tcp stack implementation (off-path blind TCP session attack).
Seth Arnold
seth.arnold at canonical.com
Tue Aug 16 00:20:23 UTC 2016
On Sun, Aug 14, 2016 at 10:24:21AM +0200, daniel curtis wrote:
> Yes, I know that but I would like to ask if I should change the
> net.ipv4.tcp_challenge_ack_limit value e.g. to '1000', until there is no
> patch available. That's all.
1000 is probably better than 100; something larger and less round is
probably better. (Afterall, 1kpps feels like nearly nothing these days.)
You might as well make it a little harder to reach and harder to guess.
Also, while it's certainly surprising that sequence numbers can be
guessed far easier than expected (or than _I_ expected, anyway), it's
a good reminder that data transmitted over untrusted networks should be
treated as untrusted and use TLS or GnuPG or similar tools as needed.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20160815/5af03945/attachment.pgp>
More information about the ubuntu-hardened
mailing list